The Department of Justice’s recent and third update to its Guidance on the Evaluation of Corporate Compliance Programs aims to help federal prosecutors in the decision-making process regarding prosecutions, monetary penalties, and other requirements that may be imposed as a result of an investigation into corporate misconduct.
So, what does an effective compliance program look like? The updated guidance focuses on several factors, including a trusted confidential reporting structure and investigation process, stating that a “hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.”
The guidance also stresses that companies must take appropriate steps to ensure a corporate culture that encourages confidential reporting and protects whistleblowers from retaliation.
Three Questions for Evaluating a Confidential Reporting Process
In evaluating your own confidential reporting process, consider the three questions the DOJ manual requires prosecutors to ask when evaluating a company’s compliance program and our recommendations.
Is It Well Designed?
As discussed in the guidance, a confidential reporting mechanism is a hallmark of a well-designed compliance program. As a first step in your evaluation, the question is whether you have a reporting mechanism. If the answer is no, be prepared to answer why.
The point of a trusted confidential reporting process is to prevent and detect misconduct. If your response to why your organization does not have a reporting channel in place is something that sounds like “we have an open-door policy” or “we’re like a family here and don’t need a confidential reporting mechanism” this will not be well-received by a regulator and falls short of establishing that you have an effective compliance program.
It is woefully shortsighted (or willfully blind) to believe that your organization will always be free from any type of wrongdoing.
Once you have a reporting mechanism in place, analyze how it is publicized to the organization’s stakeholders. The availability and use of a confidential reporting channel should be shared not only with employees, but with others outside the organization. Vendors and other third parties may have unique and early insight into potential wrongdoing.
Prompt notification and remediation of alleged fraud or corruption helps mitigate the risk of potentially damaging and costly consequences, such as reputational harm and litigation costs or settlement penalties.
Is It Being Applied Earnestly and in Good Faith?
How does your senior leadership support your reporting hotline? Do they refer to it in derogatory ways? Is it given a vague or misleading name in hopes that no one will know the true purpose? Referring to a “snitch line” or burying the existence of a reporting platform by calling it an “employee helpline” at the end of an employee handbook or code of conduct does not demonstrate a culture of compliance and does not help establish a “speak-up” culture.
Review and revise your policies as needed and train around your program consistently.
A process for addressing the issues reported once they are received through the confidential reporting mechanism is key to your program. Make sure that your intake program includes a triage process that ensures that the complaint lands with objective and qualified professionals in the appropriate department.
For example, allegations of discrimination may be reviewed by human resources while corruption allegations may be investigated by legal compliance. Any report needs to be in the right hands to ensure that a prompt investigation and appropriate remedial steps are taken.
Does It Work?
As the guidance specifically states, the existence of misconduct in your organization does not mean that your program is ineffective. In fact, if you have a hotline set up and no reports are received, this could indicate a lack of awareness or trust in your reporting platform. If this is happening in your organization, consider conducting a survey to evaluate confidence in your program and do this at least annually as a health check.
Questions targeted at determining effectiveness may include whether employees believe that your platform protects their anonymity, if they believe that there are consequences for violating company policy, and if they believe that their employment status may be negatively impacted by reporting misconduct.
The answers to questions like these will help guide your next steps. It is critically important to be nimble and to shift your messaging or redesign your misconduct reporting program if it is not effective, not only because a regulator may view a stagnant program negatively but for the profitability and reputation of your organization.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Tricia Fratto is the co-founder and general counsel of Ethics Suite, which offers a web-based and anonymous internal misconduct, theft, and fraud reporting platform and a range of legal-compliance and forensic accounting consulting services. Her prior legal practice focused on internal and government facing investigations, in private practice and most recently as the director of global investigations for a Fortune 500 company.
Juliette Gust is the co-founder and president of Ethics Suite. She has personally conducted or led more than 1,500 investigations spanning 75 countries and has advised on more than 10,000 employee ethics line reports.